Android’s Biggest Threat Isn’t Malware, It’s Lost Phones

Security people are, by and large, a bit of a dour lot. It’s not their fault, but their industry focuses on all the bad things that could happen to you—many of which you’ve never worried about before. That’s why it’s surprising to hear a security researcher tell me that not only is Android malware protection not a big deal, but that mobile security is a huge success story.

It Could Be So Much Worse Mikko Hypponen, chief research officer at F-Secure told SecurityWatch just that during a recent conversation about the company’s latest security suite for Android, which went up on Google Play last week. “That we still don’t have bigger problems than we do should be thought of as a success story,” he said. “For once, we’ve managed to learn from the mistakes of the past.”

To make his case, and it is a convincing one, he points to the fact that despite smartphones being around for a decade the threats are fairly rare. “We don’t have malware problems on iPhone or Windows phones,” said Hypponen. “[It’s a] limited problem on Android phones.”

Why Android is Targeted Hypponen points out that security companies can only work on Android because of the freedom the platform allows. He noted, a bit ironically, that this is the same reason why malware exists on the Google Play store.

“It’s pretty much what Google was aiming for,” explained Hypponen, who doesn’t believe that the search giant who owns Android is to blame for the malware on the platform. “They wanted it to be more open, more accessible, more programmable.”

With Android, you can create any app you like and install any app from anywhere. This gives consumers enormous freedom of choice—something envied by Apple users who have to jailbreak their phones for the same experience.

“It would have been easy to assume that Linux based phones would have no malware,” said Hypponen, referring to Android’s Linux roots and the relatively small amount of malware targeting Linux computers. “But it’s the opposite.”

It Really Isn’t That Bad Generally speaking, Android malware requires users to seek it out or activate it. “On Windows [computers], you can get hit from the web,” said Hypponen. “You don’t get infected by surfing the web on mobile.”

Trojanized apps—that is, pirated apps with code added by bad guys and disseminated for free—make up the vast majority of malware threats on Android. And even here, Hypponen says that danger is relatively low. “We see a few hundred families a quarter,” he said. These apps are generally relegated to third-party stores, and require victims to seek out a cracked or free version of paid software and take the extra steps of sideloading it.

Phishing is also a threat that concerns Hypponen, because the truncated views in most web browsers mean it’s harder to tell if the site you’re sending personal information to is legitimate or not.

So Why Get Security Software? The biggest threat to Android users, said Hypponen, is theft or loss. He reported that F-Secure had run a study and found that, “1 in 10 said they had their phone lost or stolen.”

This is something security companies have been working to address, and most include some kind of mechanism to remotely locate a lost or stolen phone. Many, like F-Secure, also let you remotely lock or wipe your device remotely. At a time when just about every anti-malware suite on Android scores well above 90 percent detection, it’s features like this that make a huge difference.

Hypponen warns that most of the bad guys building malware have focused on Windows XP as the target of choice. Eventually, he says, organized crime will have to look elsewhere after Microsoft stops supporting XP and it becomes less popular. Android would make a tempting target because things like premium SMS messages make it easy for attackers to make money on the platform. However, that could be years, if not a decade, away.

In the end, Hypponen is optimistic about the future of mobile platforms. After all, we’ve made it this far without too many horrific upsets.